Since the introduction of H-REAP, several enhancements have been implemented to make it more robust and provide client access and authentication methods in the event the AP transitions to standalone mode.
Backup RADIUS Server
Starting in code Release 4.2, you can configure an H-REAP AP with a backup RADIUS server. This allows the AP to perform full 802.1x EAP authentications using RADIUS while in standalone mode. The backup RADIUS server can be any RADIUS server on the network as long as the H-REAP AP still has network connectivity to that server during the network outage that caused it to enter standalone mode in the first place.
To configure an H-REAP AP with a backup RADIUS server, use the following command from the controller CLI:
H-REAP Groups
H-REAP groups is another 4.2 feature that allows you to group APs that you want to share a common backup RADIUS server. If you had several H-REAP APs, for example, it is a lot less work to create an H-REAP group and then add the APs to that group rather than specifying the RADIUS servers on the individual APs. In later codes, you can also configure H-REAP groups for local authentication. An H-REAP AP can only be a member of one H-REAP group. You can configure up to 20 H-REAP Groups with 25 APs in each group per controller. Figure 13-10 shows an H-REAP group example.
H-REAP groups are required for CCKM fast roaming to work with H-REAP APs. CCKM fast roaming is achieved by caching a derivative of the master key from a full EAP authentication so that a simple and secure key exchange can occur when a wireless client roams to a different AP. This feature prevents the need to perform a full RADIUS EAP authentication as the client roams from one H-REAP AP to another within the same H-REAP group. If you create an H-REAP group comprising a limited number of APs (for example, you create a group for four APs in a remote office), the clients can roam only among those four APs, and the CCKM cache is distributed among those four APs only when the clients associate to one of them.
Figure 13-10 H-REAP Group Configuration Example
Following is additional information on CCKM and H-REAP:
■ The H-REAP APs receive the CCKM cache keys from the controller.
■ The cache keys are stored on the AP. The AP can use the key in connected or standalone mode.
■ If an H-REAP AP boots up in the standalone mode, fast roaming is not supported because the AP cannot get the CCKM keys from the controller.
■ CCKM fast roaming is not supported between H-REAP and non-H-REAP APs. It is also not supported between different H-REAP groups. A client has to perform a full EAP authentication.
■ The controller distributes the cache key for a client to the APs in the configured H-REAP group the client is connected to.
■ CCKM cache key aging is based on the WLAN session timeout value.
■ CCKM cache keys are deleted when the client is removed from the system.
Local Authentication
With code Release 5.0 and higher, local authentication features were added to the H-REAP group configuration. You can configure your H-REAP APs to perform Lightweight Extensible Authentication Protocol (LEAP) or EAP-FAST using a local RADIUS server on the AP. Originally, this was limited to 20 users, but with the 5.2 release of code, you can configure up to 100 users. When an H-REAP AP joins the controller, it receives the list of users. The AP only authenticates users present in its list. Figure 13-11 shows the local authentication page of an H-REAP group.
After you have defined your usernames and passwords, you need to configure the protocols that local authentication will support. You do this using the Protocols tab, as illustrated in Figure 13-12.
As you can see, only LEAP or EAP-FAST is supported.
If a backup RADIUS server is configured and the AP transitions to standalone mode and can no longer perform central authentication through the controller, the AP will always try to authenticate a user via the backup external RADIUS server. Should the backup RADIUS server fail to respond, the AP will use its own local database to try to authenticate the user.
